DEV Community

Kay for AWS Community Builders

Posted on • Edited on

4 2

Some notes about Amazon EKS IAM OIDC Provider

Step 1

iam:*OpenIDConnectProvider* permissions are not required when creating an EKS cluster with CreateCluster, which creates an OpenID Connect provider URL (OpenID Connect issuer URL) for the cluster (e.g. https://oidc.eks.ap-southeast-2.amazonaws.com/id/ABCABC111222333444ABCABC11122233).

And in CloudTrail, there are no *OpenIDConnectProvider* events logged.

Step 2

After (1), the cluster has an OpenID Connect issuer URL associated with it. To use IAM roles for service accounts, an IAM OIDC provider must exist for the cluster. See here.

Then you need to run ekctl utils associate-iam-oidc-provider, e.g.

$ eksctl utils associate-iam-oidc-provider --cluster=k-test-oicd --approve --region=ap-southeast-2 --profile test-oidc
Enter fullscreen mode Exit fullscreen mode

A Open ID Provider with the same URL as (1) is created.

For this step, this role needs to have at least the following permissions.

iam:CreateOpenIDConnectProvider
iam:GetOpenIDConnectProvider
iam:TagOpenIDConnectProvider
Enter fullscreen mode Exit fullscreen mode

CloudTrail does NOT show the events as well (e.g. CreateOpenIDConnectProvider).

Postmark Image

Speedy emails, satisfied customers

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.

Sign up

Top comments (0)

Best Practices for Running  Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK cover image

Best Practices for Running Container WordPress on AWS (ECS, EFS, RDS, ELB) using CDK

This post discusses the process of migrating a growing WordPress eShop business to AWS using AWS CDK for an easily scalable, high availability architecture. The detailed structure encompasses several pillars: Compute, Storage, Database, Cache, CDN, DNS, Security, and Backup.

Read full post